Individual Digital Certificates and PKI Chris Connolly Peter

Individual Digital Certificates and PKI Chris Connolly Peter van Dijk Galexia Consulting http: //www. galexia. com. au 1

1. Introduction ¨ Galexia Consulting ¨ Federal Privacy Commissioner’s Discussion Paper on Digital Certificates – forthcoming ¨ Importance of authentication technologies – why PKI? ¨ Scope of this presentation – focus on ‘trust’ issues 2

2. Why Public Key Technology? ¨ Public Key Technology involves the use of digital signatures. These signature are used for: – Authentication - confirm who you are – Integrity - what you sent – Non-repudiation - you can’t deny it ¨ Additionally – Confidentiality - what you can see - enables the encryption and decryption of information sent between two parties 3

2. What is PKI? ¨ Public Key Infrastructure (PKI) is the combination of software, encryption technologies (PKT), and services that enables organisations to protect the security of their communications and business transactions on the Internet ¨ PKIs integrate digital certificates, public-key cryptography, and certificate authorities into a shared network security architecture, including: – – 4 issuance of digital certificates to individual users end-user enrolment software integration with corporate certificate directories tools for managing, renewing, and revoking certificates

2. Components of a PKI http: //www. baltimore. com 5

2. Components of a PKI A PKI comprises the following components: ¨ Certificate Authorities (CAs): These are responsible for issuing and revoking certificates. ¨ Registration Authorities (RAs): These verify the binding between public keys and the identities of their holders. They conduct the initial verification of a potential subscriber’s identity and/or attributes; . ¨ Subscribers/Digital Certificate holders: People, machines or software agents that have been issued with certificates and can use them to sign digital documents. ¨ Clients: These validate digital signatures and their certification paths from a trusted CA's public key. ¨ Relying parties: Rely on the contents of a digital certificate in communicating with subscribers. ¨ Repositories/Directories: These store and make available certificates and certificate revocation lists. ¨ Security policy: This sets out and defines the organization's top-level direction on information security, as well as the processes and principles for the us of cryptography. 6

2. What is a Digital Certificate? ¨ A digital form of identification – Similar to a passport or driver’s licence – Binds subject’s public key (a mathematical value) to one or more attributes relating to their identity ¨ A certificate is valid for a period of time, (often one, three or ten years) ¨ Certificates can do different things. For example: – – 7 Encrypt a document Sign a document – for non-repudiation Secure a WWW server Provide authentication - Enable the holder to access a corporate new work

2. Example Certificate (1) ¨ Certificate Summary 8

2. Example Certificate (2) ¨ Certificate Attribute details : Key Usage 9

2. Example Certificate (3) ¨ Certificate Attribute details : Subject 10

3. PKI Models ¨ There a number of factors that differentiate PKI applications: – The level of identification (ranging from anonymous to fully identified); – The use of attributes; – The potential for multi-purpose/multi-use certificates; and – The use of online services, tokens and mobile devices. 11

3. Case Studies ¨ Case study 1 – Australian State government agency applications ¨ Case study 2 – Multi agency application ¨ Case study 3 – Health smart card ¨ Case study 4 – Patent application ¨ Case study 5 – Banking application 12

3. Case Studies - Commonwealth ¨ Australian Federal Agency applications – Centrelink – Australian Electoral Commission – Health Insurance Commission – Customs – Electronic Tenders – Jobsearch ¨ Case study 6 – The Australian Business Number – Digital Signature Certificate (ABN-DSC) 13

4. Overview of privacy implications ¨ 1. Collection, use, and disclosure of personal information – By Certification Authorities and Registration Authorities: – By Relying Parties: ¨ 2. Storage and destruction ¨ 3. Certificate Revocation Lists (CRLs) 14

4. Privacy (continued) ¨ 4. Logging of CRL lookups ¨ 5. Revocation of a certificate ¨ 6. Cooperation with law enforcement agencies ¨ 7. Access and correction rights ¨ 8. Security 15

4. Privacy (Continued) ¨ 9. Identification requirements ¨ 10. Unique identifiers ¨ 11. Potential for additional use of data (“function creep”) ¨ 12. Risk management practices ¨ 13. Limits on user choice 16

5. Conclusion ¨ Tools to build ‘trust’ in digital certificates ¨ Future trends/issues in PKI ¨ Ongoing discussion and consultation 17